WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597

Act Now9.8VDE-2020-020Jun 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO PFC100 and PFC200 PLCs running firmware versions before FW16 contain a buffer overflow vulnerability in the pppd daemon. The pppd daemon is not enabled by default but can be manually activated by users for custom functionality. An unauthenticated remote attacker can send a specially crafted EAP packet to a PLC with pppd enabled, causing memory corruption in the pppd process and potentially executing arbitrary code on the device.

What this means

What could happen

If the pppd daemon is manually enabled on your PFC100 or PFC200 PLC, an attacker can send a crafted network packet to cause memory corruption and run arbitrary code on the device, potentially altering process logic, stopping operations, or compromising the entire controller.

Who's at risk

Manufacturing facilities using WAGO PFC100 or PFC200 series PLCs that have manually enabled the pppd daemon for custom network functionality. This affects automation and control systems in factories, process plants, and infrastructure automation.

How it could be exploited

An attacker sends an unsolicited EAP (Extensible Authentication Protocol) packet to a WAGO PLC that has the pppd daemon manually enabled. This causes a buffer overflow in the pppd process, leading to memory corruption that allows the attacker to execute arbitrary code on the PLC without authentication.

Prerequisites

pppd daemon must be manually enabled in PFC100 or PFC200 configuration
Network access to the PLC on the port where pppd listens

remotely exploitableno authentication requiredlow complexityaffects critical control systemsCVSS 9.8 (critical)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Hardware PFC100<FW16FW16

Hardware PFC200<FW16FW16

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGVerify and document which PLC devices have pppd daemon manually enabled in their configuration

WORKAROUNDIf pppd daemon is not needed for your application, disable it in the device configuration

HARDENINGRestrict network access to the PLC to trusted engineering and process networks only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PFC100 and PFC200 devices running firmware versions earlier than FW16 to firmware FW16 or later

CVEs (1)

CVE-2020-8597

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d380970b-b6c2-4ef9-92c6-dd9115f81e70